Skype's encryption procedure partly exposed
Developer Sean O'Neill, famous in cryptographic circles for designing the EnRUPT hash algorithm, has released an open source Skype library that emulates the modified version of the RC4 encryption algorithm used by Skype. Skype chose to modify key generation for the stream cipher to make its product incompatible with other IM clients and ensure that it remained a closed system. However, initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure.
Because Skype has not released details of its encryption procedures, for years researchers have been trying and failing to reverse engineer the company's encryption. What is clear is that Skype uses a variety of encryption procedures. AES-256 is used to communicate with Skype's login server, SMS/event server and search servers. Supernodes and clients use the modified version of RC4 for the actual communication.
No further information is currently available – O'Neill's website, on which he announced his breakthrough, is currently offline. Even the Skype Library RC4 v1.108 download is currently offline. O'Neill has promised further details, but not until December, when he intends to present his findings at the Chaos Communication Congress in Berlin (27C3).
Until then, interested users can examine the code and use it for test purposes. Commercial usage is currently permissible only after consultation with O'Neill.